[packages/kernel.git] / 2.6.1-NF-connlimit-20040107.patch

diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_connlimit.h
--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_connlimit.h	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_connlimit.h	2004-01-14 11:11:52.000000000 +0100
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+
+struct ipt_connlimit_data;
+
+struct ipt_connlimit_info {
+	int limit;
+	int inverse;
+	u_int32_t mask;
+	struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/Kconfig linux-2.6.1/net/ipv4/netfilter/Kconfig
--- linux-2.6.1.org/net/ipv4/netfilter/Kconfig	2004-01-14 10:35:38.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/Kconfig	2004-01-14 11:11:52.000000000 +0100
@@ -688,5 +688,26 @@
 	  
 	    Weight of the packet with non-priviliged destination port.
 
+config IP_NF_MATCH_CONNLIMIT
+	tristate  'Connections/IP limit match support'
+	depends on IP_NF_IPTABLES
+	  help
+	  This adds an iptables match which allows you to restrict the
+	  number of parallel TCP connections to a server per client IP address
+	  (or address block).
+	  
+	  Examples:
+	  
+	  # allow 2 telnet connections per client host
+	  iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
+	  
+	  # you can also match the other way around:
+	  iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
+	  
+	  # limit the nr of parallel http requests to 16 per class C sized
+	  # network (24 bit netmask)
+	  iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
+	  	--connlimit-mask 24 -j REJECT
+
 endmenu
 
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/Makefile linux-2.6.1/net/ipv4/netfilter/Makefile
--- linux-2.6.1.org/net/ipv4/netfilter/Makefile	2004-01-14 10:35:38.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/Makefile	2004-01-14 11:11:52.000000000 +0100
@@ -72,6 +72,7 @@
 
 obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
 obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
 obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
 obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
 
diff -Nur linux-2.6.1.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.1/net/ipv4/netfilter/ipt_connlimit.c
--- linux-2.6.1.org/net/ipv4/netfilter/ipt_connlimit.c	1970-01-01 01:00:00.000000000 +0100
+++ linux-2.6.1/net/ipv4/netfilter/ipt_connlimit.c	2004-01-14 13:07:24.000000000 +0100
@@ -0,0 +1,232 @@
+/*
+ * netfilter module to limit the number of parallel tcp
+ * connections per IP address.
+ *   (c) 2000 Gerd Knorr <kraxel@bytesex.org>
+ *   Nov 2002: Martin Bene <martin.bene@icomedias.com>:
+ *		only ignore TIME_WAIT or gone connections
+ *
+ * based on ...
+ *
+ * Kernel module to match connection tracking information.
+ * GPL (C) 1999  Rusty Russell (rusty@rustcorp.com.au).
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/list.h>
+#include <linux/netfilter_ipv4/ip_conntrack.h>
+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_connlimit.h>
+
+#define DEBUG 0
+
+MODULE_LICENSE("GPL");
+
+/* we'll save the tuples of all connections we care about */
+struct ipt_connlimit_conn
+{
+        struct list_head list;
+	struct ip_conntrack_tuple tuple;
+};
+
+struct ipt_connlimit_data {
+	spinlock_t lock;
+	struct list_head iphash[256];
+};
+
+static int ipt_iphash(u_int32_t addr)
+{
+	int hash;
+
+	hash  =  addr        & 0xff;
+	hash ^= (addr >>  8) & 0xff;
+	hash ^= (addr >> 16) & 0xff;
+	hash ^= (addr >> 24) & 0xff;
+	return hash;
+}
+
+static int count_them(struct ipt_connlimit_data *data,
+		      u_int32_t addr, u_int32_t mask,
+		      struct ip_conntrack *ct)
+{
+#if DEBUG
+	const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv",
+				     "fin_wait", "time_wait", "close", "close_wait",
+				     "last_ack", "listen" };
+#endif
+	int addit = 1, matches = 0;
+	struct ip_conntrack_tuple tuple;
+	struct ip_conntrack_tuple_hash *found;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash,*lh;
+
+	spin_lock(&data->lock);
+	tuple = ct->tuplehash[0].tuple;
+	hash = &data->iphash[ipt_iphash(addr & mask)];
+
+	/* check the saved connections */
+	for (lh = hash->next; lh != hash; lh = lh->next) {
+		conn = list_entry(lh,struct ipt_connlimit_conn,list);
+		found = ip_conntrack_find_get(&conn->tuple,ct);
+		if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
+		    found != NULL &&
+		    found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+			/* Just to be sure we have it only once in the list.
+			   We should'nt see tuples twice unless someone hooks this
+			   into a table without "-p tcp --syn" */
+			addit = 0;
+		}
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port),
+		       NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port),
+		       (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone");
+#endif
+		if (NULL == found) {
+			/* this one is gone */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			continue;
+		}
+		if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
+			/* we don't care about connections which are
+			   closed already -> ditch it */
+			lh = lh->prev;
+			list_del(lh->next);
+			kfree(conn);
+			nf_conntrack_put(&found->ctrack->infos[0]);
+			continue;
+		}
+		if ((addr & mask) == (conn->tuple.src.ip & mask)) {
+			/* same source IP address -> be counted! */
+			matches++;
+		}
+		nf_conntrack_put(&found->ctrack->infos[0]);
+	}
+	if (addit) {
+		/* save the new connection in our list */
+#if DEBUG
+		printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n",
+		       ipt_iphash(addr & mask),
+		       NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
+		       NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
+#endif
+		conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
+		if (NULL == conn)
+			return -1;
+		memset(conn,0,sizeof(*conn));
+		INIT_LIST_HEAD(&conn->list);
+		conn->tuple = tuple;
+		list_add(&conn->list,hash);
+		matches++;
+	}
+	spin_unlock(&data->lock);
+	return matches;
+}
+
+static int
+match(const struct sk_buff *skb,
+      const struct net_device *in,
+      const struct net_device *out,
+      const void *matchinfo,
+      int offset,
+      const void *hdr,
+      u_int16_t datalen,
+      int *hotdrop)
+{
+	const struct ipt_connlimit_info *info = matchinfo;
+	int connections, match;
+	struct ip_conntrack *ct;
+	enum ip_conntrack_info ctinfo;
+
+	ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
+	if (NULL == ct) {
+		printk("ipt_connlimit: Oops: invalid ct state ?\n");
+		*hotdrop = 1;
+		return 0;
+	}
+	connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
+	if (-1 == connections) {
+		printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
+		*hotdrop = 1; /* let's free some memory :-) */
+		return 0;
+	}
+        match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit);
+#if DEBUG
+	printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
+	       "connections=%d limit=%d match=%s\n",
+	       NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
+	       connections, info->limit, match ? "yes" : "no");
+#endif
+
+	return match;
+}
+
+static int check(const char *tablename,
+		 const struct ipt_ip *ip,
+		 void *matchinfo,
+		 unsigned int matchsize,
+		 unsigned int hook_mask)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	int i;
+
+	/* verify size */
+	if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
+		return 0;
+
+	/* refuse anything but tcp */
+	if (ip->proto != IPPROTO_TCP)
+		return 0;
+
+	/* init private data */
+	info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
+	spin_lock_init(&(info->data->lock));
+	for (i = 0; i < 256; i++)
+		INIT_LIST_HEAD(&(info->data->iphash[i]));
+	
+	return 1;
+}
+
+static void destroy(void *matchinfo, unsigned int matchinfosize)
+{
+	struct ipt_connlimit_info *info = matchinfo;
+	struct ipt_connlimit_conn *conn;
+	struct list_head *hash;
+	int i;
+
+	/* cleanup */
+	for (i = 0; i < 256; i++) {
+		hash = &(info->data->iphash[i]);
+		while (hash != hash->next) {
+			conn = list_entry(hash->next,struct ipt_connlimit_conn,list);
+			list_del(hash->next);
+			kfree(conn);
+		}
+	}
+	kfree(info->data);
+}
+
+static struct ipt_match connlimit_match = { 
+	.name		= "connlimit", 
+	.match		= &match, 
+	.checkentry	= &check,
+	.me		= THIS_MODULE,
+};
+
+static int __init init(void)
+{
+	return ipt_register_match(&connlimit_match);
+}
+
+static void __exit fini(void)
+{
+	ipt_unregister_match(&connlimit_match);
+
+}
+
+module_init(init);
+module_exit(fini);
Commit	Line	Data
559a2977	1	diff -Nur linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_connlimit.h linux-2.6.1/include/linux/netfilter_ipv4/ipt_connlimit.h
	2	--- linux-2.6.1.org/include/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100
	3	+++ linux-2.6.1/include/linux/netfilter_ipv4/ipt_connlimit.h 2004-01-14 11:11:52.000000000 +0100
	4	@@ -0,0 +1,12 @@
	5	+#ifndef _IPT_CONNLIMIT_H
	6	+#define _IPT_CONNLIMIT_H
	7	+
	8	+struct ipt_connlimit_data;
	9	+
	10	+struct ipt_connlimit_info {
	11	+ int limit;
	12	+ int inverse;
	13	+ u_int32_t mask;
	14	+ struct ipt_connlimit_data *data;
	15	+};
	16	+#endif /* _IPT_CONNLIMIT_H */
	17	diff -Nur linux-2.6.1.org/net/ipv4/netfilter/Kconfig linux-2.6.1/net/ipv4/netfilter/Kconfig
	18	--- linux-2.6.1.org/net/ipv4/netfilter/Kconfig 2004-01-14 10:35:38.000000000 +0100
	19	+++ linux-2.6.1/net/ipv4/netfilter/Kconfig 2004-01-14 11:11:52.000000000 +0100
	20	@@ -688,5 +688,26 @@
	21
	22	Weight of the packet with non-priviliged destination port.
	23
	24	+config IP_NF_MATCH_CONNLIMIT
	25	+ tristate 'Connections/IP limit match support'
	26	+ depends on IP_NF_IPTABLES
	27	+ help
	28	+ This adds an iptables match which allows you to restrict the
	29	+ number of parallel TCP connections to a server per client IP address
	30	+ (or address block).
	31	+
	32	+ Examples:
	33	+
	34	+ # allow 2 telnet connections per client host
	35	+ iptables -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
	36	+
	37	+ # you can also match the other way around:
	38	+ iptables -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
	39	+
	40	+ # limit the nr of parallel http requests to 16 per class C sized
	41	+ # network (24 bit netmask)
	42	+ iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 \
	43	+ --connlimit-mask 24 -j REJECT
	44	+
	45	endmenu
	46
	47	diff -Nur linux-2.6.1.org/net/ipv4/netfilter/Makefile linux-2.6.1/net/ipv4/netfilter/Makefile
	48	--- linux-2.6.1.org/net/ipv4/netfilter/Makefile 2004-01-14 10:35:38.000000000 +0100
	49	+++ linux-2.6.1/net/ipv4/netfilter/Makefile 2004-01-14 11:11:52.000000000 +0100
	50	@@ -72,6 +72,7 @@
	51
	52	obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
	53	obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
	54	+obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
	55	obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
	56	obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
	57
	58	diff -Nur linux-2.6.1.org/net/ipv4/netfilter/ipt_connlimit.c linux-2.6.1/net/ipv4/netfilter/ipt_connlimit.c
	59	--- linux-2.6.1.org/net/ipv4/netfilter/ipt_connlimit.c 1970-01-01 01:00:00.000000000 +0100
	60	+++ linux-2.6.1/net/ipv4/netfilter/ipt_connlimit.c 2004-01-14 13:07:24.000000000 +0100
	61	@@ -0,0 +1,232 @@
	62	+/*
	63	+ * netfilter module to limit the number of parallel tcp
	64	+ * connections per IP address.
65	+ * (c) 2000 Gerd Knorr <kraxel@bytesex.org>
66	+ * Nov 2002: Martin Bene <martin.bene@icomedias.com>:
67	+ * only ignore TIME_WAIT or gone connections
68	+ *
69	+ * based on ...
70	+ *
71	+ * Kernel module to match connection tracking information.
72	+ * GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au).
73	+ */
74	+#include <linux/module.h>
75	+#include <linux/skbuff.h>
76	+#include <linux/list.h>
77	+#include <linux/netfilter_ipv4/ip_conntrack.h>
78	+#include <linux/netfilter_ipv4/ip_conntrack_core.h>
79	+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
80	+#include <linux/netfilter_ipv4/ip_tables.h>
81	+#include <linux/netfilter_ipv4/ipt_connlimit.h>
82	+
83	+#define DEBUG 0
84	+
85	+MODULE_LICENSE("GPL");
86	+
87	+/* we'll save the tuples of all connections we care about */
88	+struct ipt_connlimit_conn
89	+{
90	+ struct list_head list;
91	+ struct ip_conntrack_tuple tuple;
92	+};
93	+
94	+struct ipt_connlimit_data {
95	+ spinlock_t lock;
96	+ struct list_head iphash[256];
97	+};
98	+
99	+static int ipt_iphash(u_int32_t addr)
100	+{
101	+ int hash;
102	+
103	+ hash = addr & 0xff;
104	+ hash ^= (addr >> 8) & 0xff;
105	+ hash ^= (addr >> 16) & 0xff;
106	+ hash ^= (addr >> 24) & 0xff;
107	+ return hash;
108	+}
109	+
110	+static int count_them(struct ipt_connlimit_data *data,
111	+ u_int32_t addr, u_int32_t mask,
112	+ struct ip_conntrack *ct)
113	+{
114	+#if DEBUG
115	+ const static char *tcp[] = { "none", "established", "syn_sent", "syn_recv",
116	+ "fin_wait", "time_wait", "close", "close_wait",
117	+ "last_ack", "listen" };
118	+#endif
119	+ int addit = 1, matches = 0;
120	+ struct ip_conntrack_tuple tuple;
121	+ struct ip_conntrack_tuple_hash *found;
122	+ struct ipt_connlimit_conn *conn;
123	+ struct list_head hash,lh;
124	+
125	+ spin_lock(&data->lock);
126	+ tuple = ct->tuplehash[0].tuple;
127	+ hash = &data->iphash[ipt_iphash(addr & mask)];
128	+
129	+ /* check the saved connections */
130	+ for (lh = hash->next; lh != hash; lh = lh->next) {
131	+ conn = list_entry(lh,struct ipt_connlimit_conn,list);
132	+ found = ip_conntrack_find_get(&conn->tuple,ct);
133	+ if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
134	+ found != NULL &&
135	+ found->ctrack->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
136	+ /* Just to be sure we have it only once in the list.
137	+ We should'nt see tuples twice unless someone hooks this
138	+ into a table without "-p tcp --syn" */
139	+ addit = 0;
140	+ }
141	+#if DEBUG
142	+ printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d %s\n",
143	+ ipt_iphash(addr & mask),
144	+ NIPQUAD(conn->tuple.src.ip), ntohs(conn->tuple.src.u.tcp.port),
145	+ NIPQUAD(conn->tuple.dst.ip), ntohs(conn->tuple.dst.u.tcp.port),
146	+ (NULL != found) ? tcp[found->ctrack->proto.tcp.state] : "gone");
147	+#endif
148	+ if (NULL == found) {
149	+ /* this one is gone */
150	+ lh = lh->prev;
151	+ list_del(lh->next);
152	+ kfree(conn);
153	+ continue;
154	+ }
155	+ if (found->ctrack->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT) {
156	+ /* we don't care about connections which are
157	+ closed already -> ditch it */
158	+ lh = lh->prev;
159	+ list_del(lh->next);
160	+ kfree(conn);
161	+ nf_conntrack_put(&found->ctrack->infos[0]);
162	+ continue;
163	+ }
164	+ if ((addr & mask) == (conn->tuple.src.ip & mask)) {
165	+ /* same source IP address -> be counted! */
166	+ matches++;
167	+ }
168	+ nf_conntrack_put(&found->ctrack->infos[0]);
169	+ }
170	+ if (addit) {
171	+ /* save the new connection in our list */
172	+#if DEBUG
173	+ printk("ipt_connlimit [%d]: src=%u.%u.%u.%u:%d dst=%u.%u.%u.%u:%d new\n",
174	+ ipt_iphash(addr & mask),
175	+ NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
176	+ NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
177	+#endif
178	+ conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
179	+ if (NULL == conn)
180	+ return -1;
181	+ memset(conn,0,sizeof(*conn));
182	+ INIT_LIST_HEAD(&conn->list);
183	+ conn->tuple = tuple;
184	+ list_add(&conn->list,hash);
185	+ matches++;
186	+ }
187	+ spin_unlock(&data->lock);
188	+ return matches;
189	+}
190	+
191	+static int
192	+match(const struct sk_buff *skb,
193	+ const struct net_device *in,
194	+ const struct net_device *out,
195	+ const void *matchinfo,
196	+ int offset,
197	+ const void *hdr,
198	+ u_int16_t datalen,
199	+ int *hotdrop)
200	+{
201	+ const struct ipt_connlimit_info *info = matchinfo;
202	+ int connections, match;
203	+ struct ip_conntrack *ct;
204	+ enum ip_conntrack_info ctinfo;
205	+
206	+ ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
207	+ if (NULL == ct) {
208	+ printk("ipt_connlimit: Oops: invalid ct state ?\n");
209	+ *hotdrop = 1;
210	+ return 0;
211	+ }
212	+ connections = count_them(info->data,skb->nh.iph->saddr,info->mask,ct);
213	+ if (-1 == connections) {
214	+ printk("ipt_connlimit: Hmm, kmalloc failed :-(\n");
215	+ hotdrop = 1; / let's free some memory :-) */
216	+ return 0;
217	+ }
218	+ match = (info->inverse) ? (connections <= info->limit) : (connections > info->limit);
219	+#if DEBUG
220	+ printk("ipt_connlimit: src=%u.%u.%u.%u mask=%u.%u.%u.%u "
221	+ "connections=%d limit=%d match=%s\n",
222	+ NIPQUAD(skb->nh.iph->saddr), NIPQUAD(info->mask),
223	+ connections, info->limit, match ? "yes" : "no");
224	+#endif
225	+
226	+ return match;
227	+}
228	+
229	+static int check(const char *tablename,
230	+ const struct ipt_ip *ip,
231	+ void *matchinfo,
232	+ unsigned int matchsize,
233	+ unsigned int hook_mask)
234	+{
235	+ struct ipt_connlimit_info *info = matchinfo;
236	+ int i;
237	+
238	+ /* verify size */
239	+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_connlimit_info)))
240	+ return 0;
241	+
242	+ /* refuse anything but tcp */
243	+ if (ip->proto != IPPROTO_TCP)
244	+ return 0;
245	+
246	+ /* init private data */
247	+ info->data = kmalloc(sizeof(struct ipt_connlimit_data),GFP_KERNEL);
248	+ spin_lock_init(&(info->data->lock));
249	+ for (i = 0; i < 256; i++)
250	+ INIT_LIST_HEAD(&(info->data->iphash[i]));
251	+
252	+ return 1;
253	+}
254	+
255	+static void destroy(void *matchinfo, unsigned int matchinfosize)
256	+{
257	+ struct ipt_connlimit_info *info = matchinfo;
258	+ struct ipt_connlimit_conn *conn;
259	+ struct list_head *hash;
260	+ int i;
261	+
262	+ /* cleanup */
263	+ for (i = 0; i < 256; i++) {
264	+ hash = &(info->data->iphash[i]);
265	+ while (hash != hash->next) {
266	+ conn = list_entry(hash->next,struct ipt_connlimit_conn,list);
267	+ list_del(hash->next);
268	+ kfree(conn);
269	+ }
270	+ }
271	+ kfree(info->data);
272	+}
273	+
274	+static struct ipt_match connlimit_match = {
275	+ .name = "connlimit",
276	+ .match = &match,
277	+ .checkentry = &check,
278	+ .me = THIS_MODULE,
279	+};
280	+
281	+static int __init init(void)
282	+{
283	+ return ipt_register_match(&connlimit_match);
284	+}
285	+
286	+static void __exit fini(void)
287	+{
288	+ ipt_unregister_match(&connlimit_match);
289	+
290	+}
291	+
292	+module_init(init);
293	+module_exit(fini);